<!DOCTYPE html>


<html lang="en">


<head>
  <meta charset="utf-8" />
    
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
  <title>
    springsecurity授权 |  一曲秋殇
  </title>
  <meta name="generator" content="hexo-theme-ayer">
  
  <link rel="shortcut icon" href="/images/myfavicon.ico" />
  
  
<link rel="stylesheet" href="/dist/main.css">

  
<link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/Shen-Yu/cdn/css/remixicon.min.css">

  
<link rel="stylesheet" href="/css/custom.css">

  
  
<script src="https://cdn.jsdelivr.net/npm/pace-js@1.0.2/pace.min.js"></script>

  
  

  

</head>

</html>

<body>
  <div id="app">
    
      
    <main class="content on">
      <section class="outer">
  <article
  id="post-spring/security/springsecurity授权"
  class="article article-type-post"
  itemscope
  itemprop="blogPost"
  data-scroll-reveal
>
  <div class="article-inner">
    
    <header class="article-header">
       
<h1 class="article-title sea-center" style="border-left:0" itemprop="name">
  springsecurity授权
</h1>
 

    </header>
     
    <div class="article-meta">
      <a href="/spring/security/springsecurity%E6%8E%88%E6%9D%83/" class="article-date">
  <time datetime="2021-12-13T05:51:40.043Z" itemprop="datePublished">2021-12-13</time>
</a> 
  <div class="article-category">
    <a class="article-category-link" href="/categories/%E5%90%8E%E5%8F%B0/">后台</a> / <a class="article-category-link" href="/categories/%E5%90%8E%E5%8F%B0/java/">java</a> / <a class="article-category-link" href="/categories/%E5%90%8E%E5%8F%B0/java/spring/">spring</a> / <a class="article-category-link" href="/categories/%E5%90%8E%E5%8F%B0/java/spring/springsecurity/">springsecurity</a>
  </div>
  
<div class="word_count">
    <span class="post-time">
        <span class="post-meta-item-icon">
            <i class="ri-quill-pen-line"></i>
            <span class="post-meta-item-text"> Word count:</span>
            <span class="post-count">1k</span>
        </span>
    </span>

    <span class="post-time">
        &nbsp; | &nbsp;
        <span class="post-meta-item-icon">
            <i class="ri-book-open-line"></i>
            <span class="post-meta-item-text"> Reading time≈</span>
            <span class="post-count">4 min</span>
        </span>
    </span>
</div>
 
    </div>
      
    <div class="tocbot"></div>




  
    <div class="article-entry" itemprop="articleBody">
       
  <link rel="stylesheet" type="text/css" href="https://cdn.jsdelivr.net/hint.css/2.4.1/hint.min.css"><h4 id="FilterSecurityInterceptor-相关配置加载"><a href="#FilterSecurityInterceptor-相关配置加载" class="headerlink" title="FilterSecurityInterceptor 相关配置加载"></a>FilterSecurityInterceptor 相关配置加载</h4><hr>
<blockquote>
<p><a target="_blank" rel="noopener" href="https://www.processon.com/view/link/5df84c9ae4b0c4255e9ec460">FilterSecurityInterceptor相关类图</a></p>
</blockquote>
<p>  在重写WebSecurityConfigurerAdapter#configure(HttpSecurity http) 方法时，通过http.authorizeRequests()进行权限配置时会触发ExpressionUrlAuthorizationConfigurer配置加载</p>
   <div class='spoiler collapsed'>
    <div class='spoiler-title'>
        HttpSecurity.class
    </div>
    <div class='spoiler-content'>
        <figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">public</span> ExpressionUrlAuthorizationConfigurer&lt;HttpSecurity&gt;.<span class="function">ExpressionInterceptUrlRegistry <span class="title">authorizeRequests</span><span class="params">()</span> <span class="keyword">throws</span> Exception </span>&#123;</span><br><span class="line">  ApplicationContext context = getContext();</span><br><span class="line">  <span class="comment">//getRegistry()返回ExpressionUrlAuthorizationConfigurer#ExpressionInterceptUrlRegistry对象</span></span><br><span class="line">  <span class="keyword">return</span> getOrApply(<span class="keyword">new</span> ExpressionUrlAuthorizationConfigurer&lt;&gt;(context)).getRegistry();</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">private</span> &lt;C&gt; extends SecurityConfigurerAdapter&lt;DefaultSecurityFilterChain, HttpSecurity&gt;&gt; <span class="function">C <span class="title">getOrApply</span><span class="params">(	C configurer)</span> <span class="keyword">throws</span> Exception </span>&#123;</span><br><span class="line">  C existingConfig = (C) getConfigurer(configurer.getClass());</span><br><span class="line">  <span class="keyword">if</span> (existingConfig != <span class="keyword">null</span>) &#123;</span><br><span class="line">     <span class="keyword">return</span> existingConfig;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="comment">//设置配置到HttpSecurity对象中</span></span><br><span class="line">  <span class="keyword">return</span> apply(configurer);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
    </div>
</div>

   <div class='spoiler collapsed'>
    <div class='spoiler-title'>
        ExpressionUrlAuthorizationConfigurer.class
    </div>
    <div class='spoiler-content'>
        <figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">public</span> <span class="title">ExpressionUrlAuthorizationConfigurer</span><span class="params">(ApplicationContext context)</span> </span>&#123;</span><br><span class="line">	<span class="keyword">this</span>.REGISTRY = <span class="keyword">new</span> ExpressionInterceptUrlRegistry(context);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

    </div>
</div>

   <div class='spoiler collapsed'>
    <div class='spoiler-title'>
        ExpressionUrlAuthorizationConfigurer#ExpressionInterceptUrlRegistry
    </div>
    <div class='spoiler-content'>
        <figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">ExpressionInterceptUrlRegistry</span> <span class="keyword">extends</span> <span class="title">ExpressionUrlAuthorizationConfigurer</span>&lt;<span class="title">H</span>&gt;.<span class="title">AbstractInterceptUrlRegistry</span>&lt;<span class="title">ExpressionInterceptUrlRegistry</span>, <span class="title">AuthorizedUrl</span>&gt; </span>&#123;</span><br><span class="line">		</span><br><span class="line">	<span class="meta">@Override</span></span><br><span class="line">	<span class="function"><span class="keyword">public</span> MvcMatchersAuthorizedUrl <span class="title">mvcMatchers</span><span class="params">(HttpMethod method, String... mvcPatterns)</span> </span>&#123;</span><br><span class="line">		<span class="keyword">return</span> <span class="keyword">new</span> MvcMatchersAuthorizedUrl(createMvcMatchers(method, mvcPatterns));</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	<span class="meta">@Override</span></span><br><span class="line">	<span class="function"><span class="keyword">public</span> MvcMatchersAuthorizedUrl <span class="title">mvcMatchers</span><span class="params">(String... patterns)</span> </span>&#123;</span><br><span class="line">		<span class="keyword">return</span> mvcMatchers(<span class="keyword">null</span>, patterns);</span><br><span class="line">	&#125; </span><br><span class="line">	<span class="function"><span class="keyword">public</span> H <span class="title">and</span><span class="params">()</span> </span>&#123;</span><br><span class="line">		<span class="keyword">return</span> ExpressionUrlAuthorizationConfigurer.<span class="keyword">this</span>.and();</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
    </div>
</div>

<p>   ExpressionInterceptUrlRegistry继承自AbstractInterceptUrlRegistry，该类中有个公有的accessDecisionManager方法可以设置accessDecisionManager</p>
   <div class='spoiler collapsed'>
    <div class='spoiler-title'>
        AbstractInterceptUrlConfigurer.class
    </div>
    <div class='spoiler-content'>
        <figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//可通过http.authorizeRequests().accessDecisionManager()的方式设置自定义的accessDecisionManager</span></span><br><span class="line"><span class="function"><span class="keyword">public</span> R <span class="title">accessDecisionManager</span><span class="params">(AccessDecisionManager accessDecisionManager)</span> </span>&#123;</span><br><span class="line">	 AbstractInterceptUrlConfigurer.<span class="keyword">this</span>.accessDecisionManager = accessDecisionManager;</span><br><span class="line">	 <span class="keyword">return</span> getSelf();</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
    </div>
</div>

<p>   上面将ExpressionUrlAuthorizationConfigurer添加到HttpSecurity对象中后，在构建http对象时会调用配置的init和configure方法<br>   具体构建流程可查看 <a target="_blank" rel="noopener" href="https://www.processon.com/view/link/5df88954e4b06c8b0bb0aad0">链接</a> 中4.5.3#3<br>   ExpressionUrlAuthorizationConfigurer继承自AbstractInterceptUrlConfigurer，configure逻辑在该父类中</p>
   <div class='spoiler collapsed'>
    <div class='spoiler-title'>
        AbstractInterceptUrlConfigurer.class
    </div>
    <div class='spoiler-content'>
        <figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">@Override</span></span><br><span class="line"><span class="function"><span class="keyword">public</span> <span class="keyword">void</span> <span class="title">configure</span><span class="params">(H http)</span> <span class="keyword">throws</span> Exception </span>&#123;</span><br><span class="line">  <span class="comment">//metadataSource为ExpressionInterceptUrlRegistry中添加的自定义权限设置规则</span></span><br><span class="line">	 FilterInvocationSecurityMetadataSource metadataSource = createMetadataSource(http);</span><br><span class="line">	 <span class="keyword">if</span> (metadataSource == <span class="keyword">null</span>) &#123;</span><br><span class="line">		<span class="keyword">return</span>;</span><br><span class="line">	 &#125;</span><br><span class="line">	 <span class="comment">//调用createFilterSecurityInterceptor方法创建FilterSecurityInterceptor对象</span></span><br><span class="line">	 FilterSecurityInterceptor securityInterceptor = createFilterSecurityInterceptor(http, metadataSource, http.getSharedObject(AuthenticationManager.class));</span><br><span class="line">	 <span class="keyword">if</span> (filterSecurityInterceptorOncePerRequest != <span class="keyword">null</span>) &#123;</span><br><span class="line">		securityInterceptor.setObserveOncePerRequest(filterSecurityInterceptorOncePerRequest);</span><br><span class="line">	 &#125;</span><br><span class="line">	 securityInterceptor = postProcess(securityInterceptor);</span><br><span class="line">	 <span class="comment">//添加FilterSecurityInterceptor过滤器到过滤器链</span></span><br><span class="line">	 http.addFilter(securityInterceptor);</span><br><span class="line">	 http.setSharedObject(FilterSecurityInterceptor.class, securityInterceptor);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">private</span> FilterSecurityInterceptor <span class="title">createFilterSecurityInterceptor</span><span class="params">(H http,FilterInvocationSecurityMetadataSource metadataSource,AuthenticationManager authenticationManager)</span> <span class="keyword">throws</span> Exception </span>&#123;</span><br><span class="line">	 FilterSecurityInterceptor securityInterceptor = <span class="keyword">new</span> FilterSecurityInterceptor();</span><br><span class="line">	 <span class="comment">//@1</span></span><br><span class="line">	 securityInterceptor.setSecurityMetadataSource(metadataSource);</span><br><span class="line">  <span class="comment">//@2设置accessDecisionManager</span></span><br><span class="line">	 securityInterceptor.setAccessDecisionManager(getAccessDecisionManager(http));</span><br><span class="line">	 <span class="comment">//@3</span></span><br><span class="line">	 securityInterceptor.setAuthenticationManager(authenticationManager);</span><br><span class="line">	 securityInterceptor.afterPropertiesSet();</span><br><span class="line">	 <span class="keyword">return</span> securityInterceptor;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">private</span> AccessDecisionManager <span class="title">getAccessDecisionManager</span><span class="params">(H http)</span> </span>&#123;</span><br><span class="line">  <span class="comment">//如果有通过http.authorizeRequests().accessDecisionManager()设置则使用设置的值</span></span><br><span class="line">  <span class="comment">//没有设置的则默认创建AffirmativeBased对象</span></span><br><span class="line">	 <span class="keyword">if</span> (accessDecisionManager == <span class="keyword">null</span>) &#123;</span><br><span class="line">		accessDecisionManager = createDefaultAccessDecisionManager(http);</span><br><span class="line">  &#125;</span><br><span class="line">	 <span class="keyword">return</span> accessDecisionManager;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>
    </div>
</div>


<h4 id="FilterSecurityInterceptor-处理流程"><a href="#FilterSecurityInterceptor-处理流程" class="headerlink" title="FilterSecurityInterceptor 处理流程"></a>FilterSecurityInterceptor 处理流程</h4><hr>
<p>   请求进入FilterSecurityInterceptor#doFilter后回调用invoke方法</p>
<div class='spoiler collapsed'>
    <div class='spoiler-title'>
        FilterSecurityInterceptor.class
    </div>
    <div class='spoiler-content'>
        <figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">public</span> <span class="keyword">void</span> <span class="title">invoke</span><span class="params">(FilterInvocation fi)</span> <span class="keyword">throws</span> IOException, ServletException </span>&#123;</span><br><span class="line"> 	<span class="comment">//同一个request之前有执行过权限校验则直接放行</span></span><br><span class="line"> 	<span class="keyword">if</span> ((fi.getRequest() != <span class="keyword">null</span>)</span><br><span class="line"> 			&amp;&amp; (fi.getRequest().getAttribute(FILTER_APPLIED) != <span class="keyword">null</span>)</span><br><span class="line"> 			&amp;&amp; observeOncePerRequest) &#123;</span><br><span class="line"> 		fi.getChain().doFilter(fi.getRequest(), fi.getResponse());</span><br><span class="line"> 	&#125;</span><br><span class="line"> 	<span class="keyword">else</span> &#123;</span><br><span class="line"> 		<span class="comment">//往request中设值，下次进入时通过此值判断该request之前有执行过校验逻辑</span></span><br><span class="line"> 		<span class="keyword">if</span> (fi.getRequest() != <span class="keyword">null</span> &amp;&amp; observeOncePerRequest) &#123;</span><br><span class="line"> 			fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);</span><br><span class="line"> 		&#125;</span><br><span class="line"> 		<span class="comment">//调用父类beforeInvocation方法进行权限校验</span></span><br><span class="line"> 		InterceptorStatusToken token = <span class="keyword">super</span>.beforeInvocation(fi);</span><br><span class="line"> </span><br><span class="line"> 		<span class="keyword">try</span> &#123;</span><br><span class="line"> 			<span class="comment">//父类校验没有发生异常则执行后续的过滤器</span></span><br><span class="line"> 			fi.getChain().doFilter(fi.getRequest(), fi.getResponse());</span><br><span class="line"> 		&#125;</span><br><span class="line"> 		<span class="keyword">finally</span> &#123;</span><br><span class="line"> 			<span class="keyword">super</span>.finallyInvocation(token);</span><br><span class="line"> 		&#125;</span><br><span class="line"> </span><br><span class="line"> 		<span class="keyword">super</span>.afterInvocation(token, <span class="keyword">null</span>);</span><br><span class="line"> 	 &#125;</span><br><span class="line"> &#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>
    </div>
</div>

<p>   主要的校验逻辑都在AbstractSecurityInterceptor#beforeInvocation方法中<br>   精简后的代码如下</p>
   <div class='spoiler collapsed'>
    <div class='spoiler-title'>
        AbstractSecurityInterceptor.class
    </div>
    <div class='spoiler-content'>
        <figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">protected</span> InterceptorStatusToken <span class="title">beforeInvocation</span><span class="params">(Object object)</span> </span>&#123;</span><br><span class="line">   <span class="keyword">final</span> <span class="keyword">boolean</span> debug = logger.isDebugEnabled();</span><br><span class="line">   <span class="comment">//在@1处创建FilterSecurityInterceptor对象时有设置securityMetadataSource</span></span><br><span class="line">   <span class="comment">//getAttributes主要是取出http设置的权限规则中与本次请求匹配的配置属性</span></span><br><span class="line">   Collection&lt;ConfigAttribute&gt; attributes = <span class="keyword">this</span>.obtainSecurityMetadataSource().getAttributes(object);</span><br><span class="line">   <span class="comment">//如果没有相关的配置属性，则直接放行</span></span><br><span class="line">   <span class="keyword">if</span> (attributes == <span class="keyword">null</span> || attributes.isEmpty()) &#123;</span><br><span class="line">   	publishEvent(<span class="keyword">new</span> PublicInvocationEvent(object));</span><br><span class="line">   	<span class="keyword">return</span> <span class="keyword">null</span>; <span class="comment">// no further work post-invocation</span></span><br><span class="line">   &#125;</span><br><span class="line">   <span class="comment">//线程上下文中没有Authentication对象则抛出AuthenticationException异常</span></span><br><span class="line">   <span class="keyword">if</span> (SecurityContextHolder.getContext().getAuthentication() == <span class="keyword">null</span>) &#123;</span><br><span class="line">   	credentialsNotFound(messages.getMessage(<span class="string">&quot;AbstractSecurityInterceptor.authenticationNotFound&quot;</span>,</span><br><span class="line">   			<span class="string">&quot;An Authentication object was not found in the SecurityContext&quot;</span>),object, attributes);</span><br><span class="line">   &#125;</span><br><span class="line">   <span class="comment">//取出认证的Authentication对象，如果没有认证会调用@3处的authenticationManager进行认证操作</span></span><br><span class="line">   Authentication authenticated = authenticateIfRequired();</span><br><span class="line">   </span><br><span class="line">   <span class="keyword">try</span> &#123;</span><br><span class="line">       <span class="comment">//调用@2处设置的accessDecisionManager的decide方法进行授权校验，校验不通过抛出AccessDeniedException异常</span></span><br><span class="line">   	  <span class="keyword">this</span>.accessDecisionManager.decide(authenticated, object, attributes);</span><br><span class="line">   &#125;</span><br><span class="line">   <span class="keyword">catch</span> (AccessDeniedException accessDeniedException) &#123;</span><br><span class="line">   	publishEvent(<span class="keyword">new</span> AuthorizationFailureEvent(object, attributes, authenticated,accessDeniedException));</span><br><span class="line">   		<span class="keyword">throw</span> accessDeniedException;</span><br><span class="line">   &#125;</span><br><span class="line">   </span><br><span class="line">   <span class="keyword">if</span> (publishAuthorizationSuccess) &#123;</span><br><span class="line">   	publishEvent(<span class="keyword">new</span> AuthorizedEvent(object, attributes, authenticated));</span><br><span class="line">   &#125;</span><br><span class="line">   </span><br><span class="line">   Authentication runAs = <span class="keyword">this</span>.runAsManager.buildRunAs(authenticated, object,attributes);</span><br><span class="line">   </span><br><span class="line">   <span class="keyword">if</span> (runAs == <span class="keyword">null</span>) &#123;</span><br><span class="line">   	<span class="comment">// no further work post-invocation</span></span><br><span class="line">     <span class="keyword">return</span> <span class="keyword">new</span> InterceptorStatusToken(SecurityContextHolder.getContext(), <span class="keyword">false</span>,attributes, object);</span><br><span class="line">   &#125;</span><br><span class="line">   <span class="keyword">else</span> &#123;</span><br><span class="line">   	SecurityContext origCtx = SecurityContextHolder.getContext();</span><br><span class="line">   	SecurityContextHolder.setContext(SecurityContextHolder.createEmptyContext());</span><br><span class="line">   	SecurityContextHolder.getContext().setAuthentication(runAs);</span><br><span class="line">   	<span class="keyword">return</span> <span class="keyword">new</span> InterceptorStatusToken(origCtx, <span class="keyword">true</span>, attributes, object);</span><br><span class="line">   &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
    </div>
</div>

<p>   AccessDecisionManager有三个实现类</p>
<ol>
<li><p>AffirmativeBased（默认）： 一票通过，只要有一个投票器通过就允许访问</p>
</li>
<li><p>ConsensusBased： 有一半以上投票器通过才允许访问资源</p>
</li>
<li><p>UnanimousBased： 所有投票器都通过才允许访问</p>
<p>也可重写WebSecurityConfigurerAdapter#configure(HttpSecurity http) 方法通过如下代码设置自定义AccessDecisionManager</p>
<div class='spoiler collapsed'>
    <div class='spoiler-title'>
        WebSecurityConfigurerAdapter#configure
    </div>
    <div class='spoiler-content'>
        <figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http.authorizeRequests().accessDecisionManager()</span><br></pre></td></tr></table></figure>
    </div>
</div>

</li>
</ol>
<link rel="stylesheet" href="/css/spoiler.css" type="text/css"><script src="/js/spoiler.js" type="text/javascript" async></script> 
      <!-- reward -->
      
    </div>
    

    <!-- copyright -->
    
    <footer class="article-footer">
       
<div class="share-btn">
      <span class="share-sns share-outer">
        <i class="ri-share-forward-line"></i>
        分享
      </span>
      <div class="share-wrap">
        <i class="arrow"></i>
        <div class="share-icons">
          
          <a class="weibo share-sns" href="javascript:;" data-type="weibo">
            <i class="ri-weibo-fill"></i>
          </a>
          <a class="weixin share-sns wxFab" href="javascript:;" data-type="weixin">
            <i class="ri-wechat-fill"></i>
          </a>
          <a class="qq share-sns" href="javascript:;" data-type="qq">
            <i class="ri-qq-fill"></i>
          </a>
          <a class="douban share-sns" href="javascript:;" data-type="douban">
            <i class="ri-douban-line"></i>
          </a>
          <!-- <a class="qzone share-sns" href="javascript:;" data-type="qzone">
            <i class="icon icon-qzone"></i>
          </a> -->
          
          <a class="facebook share-sns" href="javascript:;" data-type="facebook">
            <i class="ri-facebook-circle-fill"></i>
          </a>
          <a class="twitter share-sns" href="javascript:;" data-type="twitter">
            <i class="ri-twitter-fill"></i>
          </a>
          <a class="google share-sns" href="javascript:;" data-type="google">
            <i class="ri-google-fill"></i>
          </a>
        </div>
      </div>
</div>

<div class="wx-share-modal">
    <a class="modal-close" href="javascript:;"><i class="ri-close-circle-line"></i></a>
    <p>扫一扫，分享到微信</p>
    <div class="wx-qrcode">
      <img src="//api.qrserver.com/v1/create-qr-code/?size=150x150&data=https://luobiao320.gitee.io/spring/security/springsecurity%E6%8E%88%E6%9D%83/" alt="微信分享二维码">
    </div>
</div>

<div id="share-mask"></div>  
  <ul class="article-tag-list" itemprop="keywords"><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/spring/" rel="tag">spring</a></li><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/springsecurity/" rel="tag">springsecurity</a></li></ul>

    </footer>
  </div>

   
  <nav class="article-nav">
    
      <a href="/git/git%E6%93%8D%E4%BD%9C%E5%AD%98%E5%82%A8%E5%8E%9F%E7%90%86/" class="article-nav-link">
        <strong class="article-nav-caption">上一篇</strong>
        <div class="article-nav-title">
          
            git操作存储原理
          
        </div>
      </a>
    
    
      <a href="/git/git%E5%91%BD%E4%BB%A4/" class="article-nav-link">
        <strong class="article-nav-caption">下一篇</strong>
        <div class="article-nav-title">git命令</div>
      </a>
    
  </nav>

   
<!-- valine评论 -->
<div id="vcomments-box">
  <div id="vcomments"></div>
</div>
<script src="//cdn1.lncld.net/static/js/3.0.4/av-min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/valine@1.4.14/dist/Valine.min.js"></script>
<script>
  new Valine({
    el: "#vcomments",
    app_id: "kHx6wceVXdEyiCrLm0sLAwoF-gzGzoHsz",
    app_key: "ArEdGk6wzHOhrXLiwmClhDNH",
    path: window.location.pathname,
    avatar: "monsterid",
    placeholder: "给我的文章加点评论吧~",
    recordIP: true,
  });
  const infoEle = document.querySelector("#vcomments .info");
  if (infoEle && infoEle.childNodes && infoEle.childNodes.length > 0) {
    infoEle.childNodes.forEach(function (item) {
      item.parentNode.removeChild(item);
    });
  }
</script>
<style>
  #vcomments-box {
    padding: 5px 30px;
  }

  @media screen and (max-width: 800px) {
    #vcomments-box {
      padding: 5px 0px;
    }
  }

  #vcomments-box #vcomments {
    background-color: #fff;
  }

  .v .vlist .vcard .vh {
    padding-right: 20px;
  }

  .v .vlist .vcard {
    padding-left: 10px;
  }
</style>

 
     
</article>

</section>
      <footer class="footer">
  <div class="outer">
    <ul>
      <li>
        Copyrights &copy;
        2020-2021
        <i class="ri-heart-fill heart_icon"></i> luobiao
      </li>
    </ul>
    <ul>
      <li>
        
        
        
        Powered by <a href="https://hexo.io" target="_blank">Hexo</a>
        <span class="division">|</span>
        Theme - <a href="https://github.com/Shen-Yu/hexo-theme-ayer" target="_blank">Ayer</a>
        
      </li>
    </ul>
    <ul>
      <li>
        
      </li>
    </ul>
    <ul>
      
        <li>
          <a href="http://beian.miit.gov.cn/" target="_black" rel="nofollow">赣ICP备2020014719号-1</a>
        </li>
        
    </ul>
    <ul>
      
    </ul>
    <ul>
      <li>
        <!-- cnzz统计 -->
        
      </li>
    </ul>
  </div>
</footer>
      <div class="float_btns">
        <div class="totop" id="totop">
  <i class="ri-arrow-up-line"></i>
</div>

<div class="todark" id="todark">
  <i class="ri-moon-line"></i>
</div>

      </div>
    </main>
    <aside class="sidebar on">
      <button class="navbar-toggle"></button>
<nav class="navbar">
  
  <div class="logo">
    <a href="/"><img src="http://img.luobiao.vip/53119d0bda706bbe350333137a67ea3e_1.jpg" alt="一曲秋殇"></a>
  </div>
  
  <ul class="nav nav-main">
    
    <li class="nav-item">
      <a class="nav-item-link" href="/">主页</a>
    </li>
    
    <li class="nav-item">
      <a class="nav-item-link" href="/categories">分类</a>
    </li>
    
    <li class="nav-item">
      <a class="nav-item-link" href="/archives">归档</a>
    </li>
    
    <li class="nav-item">
      <a class="nav-item-link" href="/tags">标签</a>
    </li>
    
    <li class="nav-item">
      <a class="nav-item-link" href="/tags/dubbo">dubbo</a>
    </li>
    
    <li class="nav-item">
      <a class="nav-item-link" href="/tags/spring">spring</a>
    </li>
    
    <li class="nav-item">
      <a class="nav-item-link" href="/tags/mysql">mysql</a>
    </li>
    
  </ul>
</nav>
<nav class="navbar navbar-bottom">
  <ul class="nav">
    <li class="nav-item">
      
      <a class="nav-item-link nav-item-search"  title="Search">
        <i class="ri-search-line"></i>
      </a>
      
      
    </li>
  </ul>
</nav>
<div class="search-form-wrap">
  <div class="local-search local-search-plugin">
  <input type="search" id="local-search-input" class="local-search-input" placeholder="Search...">
  <div id="local-search-result" class="local-search-result"></div>
</div>
</div>
    </aside>
    <script>
      if (window.matchMedia("(max-width: 768px)").matches) {
        document.querySelector('.content').classList.remove('on');
        document.querySelector('.sidebar').classList.remove('on');
      }
    </script>
    <div id="mask"></div>

<!-- #reward -->
<div id="reward">
  <span class="close"><i class="ri-close-line"></i></span>
  <p class="reward-p"><i class="ri-cup-line"></i>请我喝杯咖啡吧~</p>
  <div class="reward-box">
    
    <div class="reward-item">
      <img class="reward-img" src="https://cdn.jsdelivr.net/gh/Shen-Yu/cdn/img/alipay.jpg">
      <span class="reward-type">支付宝</span>
    </div>
    
    
    <div class="reward-item">
      <img class="reward-img" src="https://cdn.jsdelivr.net/gh/Shen-Yu/cdn/img/wechat.jpg">
      <span class="reward-type">微信</span>
    </div>
    
  </div>
</div>
    
<script src="/js/jquery-2.0.3.min.js"></script>


<script src="/js/lazyload.min.js"></script>

<!-- Tocbot -->


<script src="/js/tocbot.min.js"></script>

<script>
  tocbot.init({
    tocSelector: '.tocbot',
    contentSelector: '.article-entry',
    headingSelector: 'h1, h2, h3, h4, h5, h6',
    hasInnerContainers: true,
    scrollSmooth: true,
    scrollContainer: 'main',
    positionFixedSelector: '.tocbot',
    positionFixedClass: 'is-position-fixed',
    fixedSidebarOffset: 'auto'
  });
</script>

<script src="https://cdn.jsdelivr.net/npm/jquery-modal@0.9.2/jquery.modal.min.js"></script>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/jquery-modal@0.9.2/jquery.modal.min.css">
<script src="https://cdn.jsdelivr.net/npm/justifiedGallery@3.7.0/dist/js/jquery.justifiedGallery.min.js"></script>

<script src="/dist/main.js"></script>

<!-- ImageViewer -->

<!-- Root element of PhotoSwipe. Must have class pswp. -->
<div class="pswp" tabindex="-1" role="dialog" aria-hidden="true">

    <!-- Background of PhotoSwipe. 
         It's a separate element as animating opacity is faster than rgba(). -->
    <div class="pswp__bg"></div>

    <!-- Slides wrapper with overflow:hidden. -->
    <div class="pswp__scroll-wrap">

        <!-- Container that holds slides. 
            PhotoSwipe keeps only 3 of them in the DOM to save memory.
            Don't modify these 3 pswp__item elements, data is added later on. -->
        <div class="pswp__container">
            <div class="pswp__item"></div>
            <div class="pswp__item"></div>
            <div class="pswp__item"></div>
        </div>

        <!-- Default (PhotoSwipeUI_Default) interface on top of sliding area. Can be changed. -->
        <div class="pswp__ui pswp__ui--hidden">

            <div class="pswp__top-bar">

                <!--  Controls are self-explanatory. Order can be changed. -->

                <div class="pswp__counter"></div>

                <button class="pswp__button pswp__button--close" title="Close (Esc)"></button>

                <button class="pswp__button pswp__button--share" style="display:none" title="Share"></button>

                <button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button>

                <button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button>

                <!-- Preloader demo http://codepen.io/dimsemenov/pen/yyBWoR -->
                <!-- element will get class pswp__preloader--active when preloader is running -->
                <div class="pswp__preloader">
                    <div class="pswp__preloader__icn">
                        <div class="pswp__preloader__cut">
                            <div class="pswp__preloader__donut"></div>
                        </div>
                    </div>
                </div>
            </div>

            <div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap">
                <div class="pswp__share-tooltip"></div>
            </div>

            <button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)">
            </button>

            <button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)">
            </button>

            <div class="pswp__caption">
                <div class="pswp__caption__center"></div>
            </div>

        </div>

    </div>

</div>

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe.min.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/default-skin/default-skin.min.css">
<script src="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe-ui-default.min.js"></script>

<script>
    function viewer_init() {
        let pswpElement = document.querySelectorAll('.pswp')[0];
        let $imgArr = document.querySelectorAll(('.article-entry img:not(.reward-img)'))

        $imgArr.forEach(($em, i) => {
            $em.onclick = () => {
                // slider展开状态
                // todo: 这样不好，后面改成状态
                if (document.querySelector('.left-col.show')) return
                let items = []
                $imgArr.forEach(($em2, i2) => {
                    let img = $em2.getAttribute('data-idx', i2)
                    let src = $em2.getAttribute('data-target') || $em2.getAttribute('src')
                    let title = $em2.getAttribute('alt')
                    // 获得原图尺寸
                    const image = new Image()
                    image.src = src
                    items.push({
                        src: src,
                        w: image.width || $em2.width,
                        h: image.height || $em2.height,
                        title: title
                    })
                })
                var gallery = new PhotoSwipe(pswpElement, PhotoSwipeUI_Default, items, {
                    index: parseInt(i)
                });
                gallery.init()
            }
        })
    }
    viewer_init()
</script>

<!-- MathJax -->

<!-- Katex -->

<!-- busuanzi  -->

<!-- ClickLove -->

<!-- ClickBoom1 -->

<!-- ClickBoom2 -->

<!-- CodeCopy -->


<link rel="stylesheet" href="/css/clipboard.css">

<script src="https://cdn.jsdelivr.net/npm/clipboard@2/dist/clipboard.min.js"></script>
<script>
  function wait(callback, seconds) {
    var timelag = null;
    timelag = window.setTimeout(callback, seconds);
  }
  !function (e, t, a) {
    var initCopyCode = function(){
      var copyHtml = '';
      copyHtml += '<button class="btn-copy" data-clipboard-snippet="">';
      copyHtml += '<i class="ri-file-copy-2-line"></i><span>COPY</span>';
      copyHtml += '</button>';
      $(".highlight .code pre").before(copyHtml);
      $(".article pre code").before(copyHtml);
      var clipboard = new ClipboardJS('.btn-copy', {
        target: function(trigger) {
          return trigger.nextElementSibling;
        }
      });
      clipboard.on('success', function(e) {
        let $btn = $(e.trigger);
        $btn.addClass('copied');
        let $icon = $($btn.find('i'));
        $icon.removeClass('ri-file-copy-2-line');
        $icon.addClass('ri-checkbox-circle-line');
        let $span = $($btn.find('span'));
        $span[0].innerText = 'COPIED';
        
        wait(function () { // 等待两秒钟后恢复
          $icon.removeClass('ri-checkbox-circle-line');
          $icon.addClass('ri-file-copy-2-line');
          $span[0].innerText = 'COPY';
        }, 2000);
      });
      clipboard.on('error', function(e) {
        e.clearSelection();
        let $btn = $(e.trigger);
        $btn.addClass('copy-failed');
        let $icon = $($btn.find('i'));
        $icon.removeClass('ri-file-copy-2-line');
        $icon.addClass('ri-time-line');
        let $span = $($btn.find('span'));
        $span[0].innerText = 'COPY FAILED';
        
        wait(function () { // 等待两秒钟后恢复
          $icon.removeClass('ri-time-line');
          $icon.addClass('ri-file-copy-2-line');
          $span[0].innerText = 'COPY';
        }, 2000);
      });
    }
    initCopyCode();
  }(window, document);
</script>


<!-- CanvasBackground -->


    
  </div>
</body>

</html>